SecurityHome.eu TrojanDownloader:PowerShell/CoinMiner

Home / malware PDF

TrojanDownloader:PowerShell/CoinMiner

First posted on 01 March 2018.
Source: Microsoft
Aliases :
There are no other names known for TrojanDownloader:PowerShell/CoinMiner.
Explanation :
Installation

This threat is downloaded from two URLs:

URL containing a miner:
http[:]//94.177.123.123/css/6Ov4ZHOg.exe

URL containing itself: a PowerShell script:
http[:]//94.177.123.123/css/bootstrap.css

It saves the downloaded files to the following locations:

Miner:
%ProgramData%\spoosvc.exe

Powershell script:
%ProgramData%\msupdate.ps1

Payload

Downloads and runs malware

This threat can download and run a miner component to mine Monero cryptocurency using your PC without your consent.

When run, this threat also adds the following schedule task without your consent, to ensure that it runs on system startup.

"Spooler SubSystem Service"

Analysis by Alden Pornasdoro
Last update 01 March 2018

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20